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1- PURPOSE AND SCOPE 


Alarko Carrier Sanayi ve Ticaret A.S (“Alarko Carrier"), as the Data Controller, acts in accordance with this 
Policy in processing, storing and transfer of all personal data obtained from the persons with whom we 
have relations, including but not limited to our prospective customers utilizing our products and services, 
employees, their unions, representatives, our interns, trainees, candidate employees, shareholders, 
authorized representatives, suppliers, consultants, business partners and their employees, shareholders, 
authorized representatives, visitors and other persons involved in any transaction with our company such 
as visiting our websites, pursuant to the Constitution of Republic of Turkey, International Conventions our 
country is a party, and the Regulation No 6698 on Protection of the personal Data. 


This Policy is related to all personal data of the data subjects processed via automated or non-automated 
methods provided such methods are included in the data recording system. 


2- Definitions 


The terms, idioms and expressions, concepts, abbreviations etc. used in this Policy shall have the following 
meanings. 


a) Alarko Carrier : Alarko Carrier Sanayi ve Ticaret A.S 

b) Express Consent: Consent given to a specific subject, limited to information and free, not 
limited to hesitation. 

c) Anonymization: Personal data cannot be associated with a specific or identifiable real person 
in any way even by matching it with other data. 

d) Employee: Alarko Carrier Staff. 

e) Personal Data Owner (Data Subject): Natural person whose personal data is processed. 

f) Personal Data : Any information relating to an identified or identifiable natural person; 

g) Special Purpose Personal Data :Data relating to race, ethnic origin, political opinions, 
philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of 
association, foundation or trade-union, health, sexual life, criminal conviction and security 
measures, and biometrics and genetics. 

h) Processing of Personal Data: Any operation which is performed upon personal data such as 
collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, 
retrieval, making available for collection, categorization or blocking its use by wholly or partly 
automatic means or otherwise than by automatic means which form part of a filing system; 

i) Data processor: Natural or legal person who processes personal data based on the authority 
granted by and on behalf of the data controller; 

j) Data controller: Natural or legal person who determines the purposes and means of the 
processing of personal data, and who is responsible for establishment and management of 
the filing system. 

k) Department Manager(s): The manager of the department being the owner of responsible of 
the process or project which require any personal data processing operation. 

l) The project team is the group consisting of the managers and / or representatives of the 
relevant department, who are responsible for the control and monitoring within the scope of 
ensuring and maintaining the protection of personal data. 

m) Committee of Protection of Personal Data : The Department to ensure coordination required 
within the company for ensuring, keeping and continuing compliance of the legislation on 
personal data by Alarko Carrier. 

n) Contact Person: Person responsible for following up personal data processing activities within 
our company on an individual basis. The Contact Person is a member of the GDPR Committee 
and acts as the Contact Person of our Company in accordance with the GDPR Legislation. The 
contact information of the Contact Person is available on our Company's website. 

o) GDPR Board: Personal Data Protection Board. 

p) GDPR Institution : Personal Data Protection Institution. 

q) Regulation on GDP : Regulation on the Protection of Personal Data published in the Official 
Gazette dated April 7, 2016 and numbered 29677. 
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r) Policy: Policy on protection and Processing of Personal Data of Alarko Carrier Sanayi ve 
Ticaret A.S. 


3) DUTIES AND LIABILITIES 


In all activities for the processing and protection of personal data, the GDPR Committee will be a guide 
under the GDPR Policy. All our employees, stakeholders, authorized dealers, authorized services, suppliers, 
solution partners, consultants and their employees, guests, visitors and including but not limited to third 
parties whose personal data is processed, are obliged to comply with Alarko Carrier GDPR Policy and to 
cooperate with the GDPR committee for the elimination of risks. The GDPR Committee is responsible for 
overseeing the compliance of all the bodies and departments of our Company with the GDPR Policy. The 
Contact Person within the GDPR Committee shall carry out the duties and obligations assigned to it in 
accordance with the GDPR Policy. In this context, the GDPR Committee and the Contact Person's duties 
and liabilities are defined as below. 


3.1) Committee of Protection of Personal Data 
A GDPR Committee has been established within the scope of GDPR and within the scope of our Company's 


compliance with this regulation. The Committee is established to; 


a) Ensure compliance with this Policy throughout the Company and protect personal data prescribed by 
the Policy and ensure the effective implementation of the compliance program. 

b) Carry out the necessary assignments and coordination in the daily activities for the implementation 
of GDPR Policy, 

c) Identifying and informing the management of the personal data protection legislation and informing 
the management of such matters, either to submit an opinion on its own or on request, or to take 
necessary actions to obtain expert opinion on the subject, 

d) Raise awareness of the legislation and information security issues within the scope of the protection 
of personal data within the Company and in the cooperation of our Company and provide the 
necessary training for the employees as the Personal Data Processors of our Company. 

e) Maintain and monitor the necessary communication with public institutions and private 
organizations for the protection of personal data, especially GDPR Institution and GDPR Board, 

f) Manage the applications of personal data owners, to finalize them and to ensure timely response to 
applications, 

g) Ensure that the personal data processing inventory of our company is kept up-to-date and that 
necessary notifications are made to the data responsible records, 

h) Ensure that the necessary records are kept in accordance with the Company's personal data 
protection legislation within the scope of GDPR Policy, 

i) Ensure that the personal data processing inventory of our company is kept up-to-date and that 
necessary notifications are made to the data responsible records, 

j) Ensure that the necessary records are kept in accordance with the Company's personal data 
protection legislation within the scope of GDPR Policy, 

k) Examine the noteworthy cases in terms of data security, to identify and implement or implement the 
necessary measures to minimize the risks that may arise on the personal data subjects and the 
Company, 

l) Ensure that the GDPR Policy reflects the requirements of legal, technological and organizational 
changes, 

m) Ensure that GDPR Policies are reviewed periodically and that the proposed changes are submitted to 
management approval along with their reasons, 

n) Fulfill the other duties assigned by our Company within the scope of GDPR. 
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3.2 Contact Person 
In order to monitor the effectiveness of the measures taken by our company to comply with the personal data 


protection legislation, Contact Person is designated and published on the website. The main responsibility of 
the Contact Person is to work towards the fulfillment of the duties and liabilities of the GDPR Committee. 
Contact Person is a member of the GDPR Committee and calls the GDPR Committee to meet if needed. 


Contact Person also acts as the contact person of our Company and the GDPR Institution as Contact Person 
under the GDPR Legislation. 


In the event that the Contact Person is not present in our Company due to annual leave and / or other reasons, 
a different employee is temporarily appointed by the GDPR Committee. In this case, the person who is 
temporarily appointed is responsible for the fulfillment of all duties assigned to the Contact Person under the 
Personal Data Protection Policy. 


3.3 Department Managers 
The manager of the department is responsible for conducting the data processing activities within the 


processes of the relevant department at each department within our company. 


The Department Manager fulfills the requirements of the GDPR Policy and the legislation, within its 
department in this context working in cooperation with the Contact Person and the GDPR Committee. In these 
matters, he/she receives support from other employees within the department and may delegate responsibility 
when necessary. 


3.4 All Employees 
All employees of our Company are obliged to master the GDPR Policies and apply the rules contained therein. 


In this context, all employees of our Company carry out a work in harmony with the GDPR Committee and 
Contact Person and provide feedback on the improvement of GDPR Policy and act in cooperation. 


In case of violation of GDPR Policies and Procedures, the necessary legal remedies will be applied within the 
framework of Labor Law and related laws. 


4) POLICY PRINCIPLES 


Our Company carries out data processing activities pursuant to current, defined, express and legitimate 
purposes in accordance with the legislations and good faith principles on processing of the data in accordance 
with the article 20 of the Constitution and the article 4 of the GDPR and in connection and limited to the 
purposes of processing, and keeps the personal data for the period defined in the applicable laws or for the 
period required for the purpose of processing thereof. 


Our company processes the personal information, identification information, contact details, usage habits 
related to areas of activities, financial data, health information, request and compliant data of the persons with 
whom we have relations, including but not limited to our prospective customers utilizing our products and 
services, employees, their unions, representatives, our interns, trainees, candidate employees, shareholders, 
authorized representatives, suppliers, consultants, business partners and their employees, shareholders, 
authorized representatives, visitors and other persons involved in any transaction with our company such as 
visiting our websites and processes such data for the purposes of ensuring them to utilize the products and 
services of Alarko Carrier, ensure them to be aware of marketing, promotion and novelties, for performance of 
the works, fulfillment of contract requirements, performance of the financial and legal obligations of the 
Company, subject to notification to the data subjects and obtainment of the consent of the data subjects in the 
circumstances requiring obtainment of the Express Consent pursuant to the laws and legislations. 
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5) CONDITIONS ON PROCESSING OF PERSONAL DATA 


Personal data may be processed without obtaining the explicit consent of the data subject if one or more of the 
below conditions exists: 


(a) Express Consent of the Data Subject 


One of the requirements to process personal data is the Express Consent of the Data Subject. Express Consent 
of the Data Subject should be given specifically for certain subject and freely by the Subject. The personal data 
may be processed without the express consent of the Data Subject if the following data processing 
requirements are fulfilled. 


(b) Express Requirement in the Laws 


The personal data of the data owner may be processed when it is required in the applicable legislations or 
another say it is expressly required to process the personal data. 


(c) Failure to Obtain the Express Consent of the Subject due to Physical or Legal Hinderance 


Provided that it will be necessary in order to protect the life or physical integrity of the data subject or another 
person where the data subject is physically or legally incapable of giving consent. 


(d) Data directly related to Establishment or Performance of the Contract 


It is necessary to process the personal data of the data subject being a party to a contract, provided that the 
processing is directly related to the execution or performance of the contract; 


(e) Fulfillment of the Legal Obligation of the Company 
Where it is necessary for compliance with a legal obligation which our Company is subject to; 
(f) Publication of the Personal Data by the Data Subject 


The relevant information is revealed to the public by the data subject herself/himself, the data may be 
processed to the extent such revealing. 


(g) Processing required for the institution, usage, or protection of a right; 


Where it is necessary for the institution, usage, or protection of a right; the data may be processed for such 
purpose. 


(h) Necessity of processing for the legitimate interests of our Company 


It is necessary for the legitimate interests of our Company, provided that the fundamental rights and freedoms 
of the data subject are not harmed. 


6. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA 


Special Purpose Personal Data is processed by our Company in accordance with the applicable legislations and 
the principles contained in this Policy, subject to taking of all administrative and technical measures and 
fulfillment of the following requirements: 


(a) Personal data other than personal data relating to health and sexual life, may be processed without 
obtaining the explicit consent of the data subject if processing is permitted by any law. Otherwise the express 
consent of the data subject is required. 


(b) Personal data relating to health and sexual life may only be processed without obtaining the explicit 
consent of the data subject for purposes of protection of public health, operation of preventive medicine, 
medical diagnosis, treatment, and care services, planning and management of health services and financing by 
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persons under the obligation of secrecy or authorized institutions and organizations. Otherwise the express 
consent of the data subject is required. 


7. PURPOSES OF PROCESSING OF PERSONAL DATA 
Our Company processes the personal data with the following objectives and conditions limited to the purposes 
and conditions within the personal data processing conditions specified in Paragraph 2 of Article 5 and 
paragraph 3 of the Article 6 of the GDPR. These objectives and conditions are: 

e Research and development and production activities 

e Sale of products and spare parts, 

e Performance of after-sales services, 

e  Fulfiling the requirements of the contracts, 

e Arrangement and collection of invoices, 


e Presentation of product-service, information, advertising, campaign and other benefits to customers; 
sending commercial electronic messages; providing various advantages through survey applications 
and statistical analysis; 


e Improving service quality and providing better service, 

e Service procurement from external sources, 

e To be able to receive services that are not subject to their specialization, 

e Identity verification, 

e Evaluation and response of requests and complaints, 

e Financial agreement with related business partners and other third parties, 


e Providing the necessary information in accordance with the requests and inspections of the official 
authorities, 


e Measuring customer satisfaction, 


e |n terms of employees, creation of personnel files, determining whether or not he / she qualified to 
fulfill the requirements of the job, making private health insurance, creating health file, taking 
occupational safety measures, 


e The visual and auditory data obtained in the competition, organization, work and other activities 
within the scope of the activity area are prepared for the purpose of creating the corporate memory 
and developing the business. 


e Using the website or social media channels for marketing purposes through third party agencies, 
e Fulfillment of legal obligations, 

e Reporting and execution of risk management procedures, 

e Implementation / pursuit of legal affairs, 


e Creating and tracking visitor cards. 


8. PROCESSING OF THE PERSONAL DATA OBTAINED BY THE AUTHORIZED DEALERS, AUTHORIZED SERVICES, 
CALL CENTER OR OTHER COMPANIES ACTING AS A SOLUTION PARTNER FOR AND ON BEHALF OF OUR 
COMPANY 
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While carrying out its activities, our Company is contracting with some companies in cooperation with our 
company as Authorized Dealers, Authorized Services, Call Center or other companies acting as a solution 
partner and carries out some of its activities through these persons. 


In this context, the personal data of a significant portion of our Company's customers are obtained from 
natural persons who have data through these companies by fulfilling the obligation to illuminate, and by 
consent, and transferred to our Company. In order to carry out the work, these data can be processed by both 
the Company and the companies collecting these data. In cooperation with our company, these companies 
inform the person to collect the personal data of the person concerned that these personal data can be sent to 
our Company. Our Company evaluates the collection of personal data on its own behalf and informs the 
companies that it cooperates in this regard, provides the necessary training in case of necessity and ensures 
the signing of the contracts prepared in accordance with the GDPR regulating the rights and obligations of the 
parties. 


9. DISCLOSURE TO THE DATA SUBJECT 


Our Company as the Data controller is obligated to inform the data subjects while collecting the personal data 
with regard to the identity of the data controller and if any, its representative, the purposes for which personal 
data will be processed, the persons to whom processed personal data might be transferred and the purposes 
for the same, the method and legal cause of collection of personal data, and their rights for processing of the 
personal data of the subjects, pursuant to the article 10 of the GDPR. 


10. TRANSFER OF PERSONAL DATA 


In accordance with the lawful personal data processing requirements, the Company shall take the necessary 
security measures to transfer the personal data and the Special Purpose Personal Data of the Data Subject to 
third parties (third party companies, group companies, third party natural persons). Personal data, even 
without the Express Consent of the data subject, may be transferred to third parties by taking the legal, 
technical and administrative measures in accordance with the applicable legislation and regulations, if one or 
more of the following conditions exist. 


* Express indication of the relevant activities relating to the transfer of personal data, 


* The transfer of personal data by the Company is directly relevant and necessary for the establishment or 
execution of a contract, 


* The transfer of personal data compulsory for our Company to fulfill its legal obligation, 
* Personal data being publicized by the data owner, 


* The transfer of personal data by the Company required for the establishment, use or protection of the rights 
of the Company or the data subject or third parties, 


e |t is mandatory for personal data transfer activities for the Company's legitimate interests, provided that they 
do not harm the fundamental rights and freedoms of the data subject, 


* A person who is unable to explain his consent due to impossibility, or whose legal consent is not given to his 
consent, is compulsory to protect himself or someone else's life or body integrity. 


Personal data may be transferred abroad without obtaining the explicit consent of the data subject if one of 
the conditions set forth above is present and If the foreign country to whom personal data will be transferred 
has an adequate level of protection. In case there is not an adequate level of protection, if the data controllers 
in Turkey and abroad commit, in writing, to provide an adequate level of protection and the permission of the 
Board exists. 
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11. TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA 


Special Purpose Personal Data may be transferred by our Company in accordance with the principles specified 
in this Policy and taking all administrative and technical measures required including the methods to be 
determined by the Board, and in case of fulfillment of the following requirements. 


(a) Personal data other than personal data relating to health and sexual life, may be processed without 
obtaining the explicit consent of the data subject if processing is permitted by any law. Otherwise the express 
consent of the data subject is required. 


(b) Personal data relating to health and sexual life may only be processed without obtaining the explicit 
consent of the data subject for purposes of protection of public health, operation of preventive medicine, 
medical diagnosis, treatment, and care services, planning and management of health services and financing by 
persons under the obligation of secrecy or authorized institutions and organizations. Otherwise the express 
consent of the data subject is required. 


Personal data may be transferred abroad without obtaining the explicit consent of the data subject if one of 
the conditions set forth above is present and If the foreign country to whom personal data will be transferred 
has an adequate level of protection. In case there is not an adequate level of protection, if the data controllers 
in Turkey and abroad commit, in writing, to provide an adequate level of protection and the permission of the 
Board exists. 


12. STORING PERIODS OF PERSONAL DATA 


Our Company stores personal data by taking all necessary legal, technical and administrative measures in 
accordance with the GDPR for the period stipulated in these regulations. 


If the legislation does not include any requirement on how long the personal data should be kept, the personal 
data are kept for a period of time that requires the Company to store the data in accordance with the practices 
and practices of the sector, and then it is deleted, destroyed or anonymized according to the related policy 
established by our Company. 


If the purpose of processing of the personal data has been achieved, the periods stipulated in the applicable 
legislations and our Company have expired, the personal data may only be kept to make claims or defenses 
against claims made related to the personal data. The times for storing the data shall be determined 
considering the presendents experienced by our company in similar subjects. In this case, the personal data 
stores may not be acessed for any other purpose, only they are accesssed when and tot the extent required 
for use in legal disputes. An in this case, the data is deleted, destroyed or anonymized according to the related 
policy established by our Company. 


13. RIGHTS OF THE PERSONAL DATA SUBJECTS AND USE OF THESE RIGHTS 
Pursuant to the GDPR, Personal Data Subjects have the right to; 

(1) Learn whether or not her/his personal data have been processed; 

(2) Request information as to processing if her/his data have been processed; 


(3) Learn the purpose of processing of the personal data and whether data are used in accordance with their 
purpose; 
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(4) Know the third parties in the country or abroad to whom personal data have been transferred; 


(5b) Request rectification in case personal data are processed incompletely or inaccurately, and to request 
notification of the third parties to whom the personal data is transferred in this sense; 


(6) Request deletion or destruction of personal data, where the reasons for processing of the data will be 
expired, regardless whether it is processed as per the Laws and other applicable legislations, and to request 
notification of the third parties to whom the personal data is transferred in this sense; 


(7) Object to occurrence of any result that is to her/his detriment by means of analysis of personal data 
exclusively through automated systems; 


(8) Request compensation for the damages in case the person incurs damages due to unlawful processing of 
personal data, by applying to the data controller. 


The Data subjects may communicate their requests related to such rights to our Company via the methods as 
determined by the Board. In this sense, they are allowed to use the Data Subject Application Form available at 
www.alarko-carrier.com.tr. Our company will evaluate the application made by the data subject and will 
complete the request as soon as possible within no later than 30 (thirty) days as free of charge according to the 
nature of the request. However, if the transaction requires a cost, the fee may be charged according to the 
tariff set by the Board. 


14. EXAMINATION AND AUDIT 


The GDPR Committee within the Company will monitor the legal, technological and organizational changes and 
developments that may occur within the scope of protection of personal data and ensure that the necessary 
actions are taken to ensure that our Company will comply with these developments. 


The GDPR Committee personal data processing operations and any matter related to such operations ex-officio 
or on a complaint. As a result of the review, the incompliance identified as per the rules and / or regulations 
determined in the GDPR Policies and suggestions for improvement are reported to the management by the 
GDPR Committee. Contact Person follows the necessary studies related to such process. 


The GDPR Committee conducts at least 1 (one) review per annum to ensure compliance of the Company with 
the personal data protection legislations. Such review is carried out by the GDPR Committee. 


The review shall examine, as a minimum, the following issues: 


a) Effective and proper implementation of GDPR Policies, duties and liabilities are properly assigned by 
management, undertaken and performed by employees, 

b) Adequate level of education and awareness of employees, 

c) Personal data processing inventory, disclosures and other documents are accurate, complete and up- 
to-date, 

d) Effective and sufficient administrative and technical measures are in place for personal data security, 

e) GDPR Policies are up-to-date considering legal, technological and organizational developments. 


The points identified after the review requiring improvements are reported to the management by the GDPR 
Committee; and in this context, the necessary activities are followed by Contact Person. The GDPR Committee 
ensures that necessary improvements are made after the approval of management as per these 
determinations. 
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15. APPLICATION OF POLICY AND APPLICABLE LEGISLATIONS 


The applicable legal regulations shall be applied first on processing and protection of the personal 
data. In the event of incompliance between the legislations in force and the policy, the policy shall be 
updated in accordance with the applicable legislations. 
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